Dependency-Track
First time using Dependency-Track? Please refer to the following documentation.
Introduction
Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track takes a unique and highly beneficial approach by leveraging the capabilities of Software Bill of Materials (SBOM). This approach provides capabilities that traditional Software Composition Analysis (SCA) solutions cannot achieve.
Dependency-Track monitors component usage across all versions of every application in its portfolio in order to proactively identify risk across an organization. The platform has an API-first design and is ideal for use in CI/CD environments. The Dependency-Track integration with Conviso Platform is done through this API.
Dependency-Track Setup
In order to set up the Dependency-Track integration, you’re going to need a token that can be generated at your dedicated instance of the Dependency-Track system. To find it, go to Administration at the left sidebar, then select Access Management, and under it, Teams. You’ll be presented with a field showing a few rows of predefined teams, one of them being Administrators:
Click on the Administrators row to open the options, and under the API Keys section, click the [+] icon. A new key will be created for you:
Conviso Platform Setup
Log in to the Conviso Platform;
On the main menu to the left, click on Integrations. At the panel to the right, click on the SCA option, then click on the Integrate button on the Dependency Track card:
You will be presented with the following form that should be filled with the token mentioned in the API Token field and your Dependency Track address in the format of http://<service_ip>:<service_port>/api in the API URL field. After filling all the fields in this modal, click on the Save button to store you integration configuration:
If everything goes right, you’ll be presented with the following screen. Check the box of the project you want to import and click Finish on the corner:
When the sync is done, go to the Assets Management screen and open the corresponding one for the imported project. On the bottom of the page there will be a Synchronize button. You may click on Logs to keep track of the process while it is being carried out:
When the synchronization is finished, you’ll be able to find the project and its associated findings on their respective pages.